Last year, the FTC announced they were going to “crackdown on harmful commercial surveillance and lax data security,” and have been pursuing a number of lawsuits as a result. Many of these are bold in their approach, which may catch many corporate legal teams off guard.
For example, in October 2022, the FTC took action against online alcohol marketplace Drizly and its CEO James Cory Rellas after a data breach exposed the personal information of 2.5 million consumers. The FTC order requires Drizly to “destroy unnecessary data, restricts the data that the company can collect and retain, and binds Rellas to specific data security requirements for his role in presiding over unlawful business practices.”
Gerard Stegmaier, a partner at Reed Smith, told Legaltech News, one of the more alarming parts of the FTC’s enforcement actions is that it invokes personal liability against its CEO. While this falls within their authority, they only did so “when it was a fairly clear scheme to defraud consumers.”
Stegmaier continues, “So now the business doesn’t know what the law is; what they do know is that there’s a cop that’s out there stopping and frisking businesses and seeking to hold executives personally responsible. In a way, it gives tremendous clarity—if the [FTC] thinks you broke the law, you should be wary because the full weight of the federal government will come down on you.”
Along with holding executives accountable, the federal government may also be looking to tie together data privacy with anti-trust suits. The United States is currently investigating all four of the big tech giants (Google, Meta, Apple, and Amazon), although the FTC recently lost their suit against Meta in an attempt to restrict them from buying Virtual Reality (VR) content maker Within Unlimited.
According to Reuters, the FTC sued Meta in July to stop the Within deal “to head off what it sees as a repeat of the company acquiring small upcoming would-be rivals to dominate a market.” The FTC has separately filed an ongoing lawsuit against Meta's Facebook, in an attempt to force the sale of Instagram and WhatsApp, saying the social media company used a "buy or bury" strategy to snap up rivals and keep smaller competitors at bay.
With these more aggressive tactics of the federal government, along with newly active state privacy laws in California, Virginia, Colorado, and Connecticut beginning in January 2023, large enterprises should be prepared for investigations and litigation.
Here are 5 best practices enterprises can follow when it comes to keeping up with regulatory policy and keeping their data safe.
- Stay current and try to anticipate what's coming.
- Think broadly when defining reasonableness.
- Document, document, document.
- Understand the technology you're using and the data you're generating.
- Monitor and adapt.
